After a lot of research and troubleshooting, we were able to resolve this issue. It is caused by a group policy setting which prevents Docker from setting up Windows firewall rules necessary to pass the DNS requests around. I found the root cause buried in the comments of an issue raised for Docker Desktop’s open source repo.
- Update the Apply local firewall rules group policy setting to Yes for the computer running Docker (your host machine)
- Restart your host or execute
gpupdate /force to apply the changes
Further info and troubleshooting (aka “Is this what’s causing my issue?”)
To identify whether this is what’s causing your issue, you can do a few relatively simple checks.
1. Are DNS requests failing inside containers?
- Open PowerShell as administrator
docker run -it --rm --name miniwin mcr.microsoft.com/windows/servercore:20H2 powershell
Note: if your host machine is not compatible with the
20H2 version, you can also use one of Microsoft’s other tags (
ltsc2019 is a good backup option)
- When the command completes, you will be at a PowerShell prompt inside the
servercore container you just ran
nslookup miniwin - This is the friendly name we gave the container and will be used to create a DNS lookup to Docker’s embedded DNS server
If you receive a response (even a non-authoritative response), DNS is working as expected and this is not your issue.
If you receive a timeout response, then DNS requests are not working and this may be your issue.
2. Is the “Apply local firewall rules” group policy setting set to “No” on my computer?
- Open a CMD or PowerShell window as administrator
gpresult /h c:\temp\gp.html - this will create an HTML file that shows the contents of your computer’s applied group policy
- Open the file you just created (
c:\temp\gp.html) in a web browser
- Click the show all link at the top of the page
- Search the page for “Apply local firewall rules”
- You should see three entries, one each for Domain Profile Settings, Private Profile Settings, and Public Profile Settings. Check the value for each one. If it is No for the network profile you’re currently using, this may be the root cause of your DNS issue.
3. Extra credit - review Windows Firewall logs
If you want to be extra sure, you can enable Windows Firewall logging, issue another
nslookup command from inside your container, and watch for
DROP UDP DNS entries on port 53.
- Open the Advanced Firewall Management snap-in (WF.msc)
- Open the Action menu and click Properties
- On the Domain Profile tab, click Customize under the Logging section
Note: you should do this for whichever network profile your current network connection is using, or do it for all three if you’re not sure
- Turn on logging for dropped packets
- Turn on logging for successful connections
- This should begin logging future firewall traffic to
%systemroot%\system32\LogFiles\Firewall\pfirewall.log by default, but you can change this setting in this properties window if you want
- Return to your PowerShell prompt executing within the container
nslookup miniwin again
- Open the log file (
%systemroot%\system32\LogFiles\Firewall\pfirewall.log by default) and look for your requests. They will be using the UDP protocol and be on port 53. They will include the IP address of your container as well as the IP address of the DNS server referenced in your container. (You can find both of these by running
ipconfig /all from inside your container.)